Why is a TFS secret not a SecureString?

0
votes

According to documentation you have to pass a secret in TFS 2018 to powershell like this:

Param(
   [string]$sauceArgument,
   [string]$secretSauceArgument
)
Write-Host No problem reading $env:SAUCE or $sauceArgument
Write-Host But I cannot read $env:SECRET_SAUCE
Write-Host But I can read $secretSauceArgument "(but the log is redacted so I do not
           spoil the secret)"

Passing it as string does not allow using the secret in credentials. I am only able to use it when I convert it via ConvertTo-SecureString -AsPlainText, which is supposed to be bad practise according to documentation:

$Secure_String_Pwd = ConvertTo-SecureString $secretSauceArgument -AsPlainText -Force

If I change the input type from [String] to [SecureString], I get this conversion error:

Cannot process argument transformation on parameter 'secretSauceArgument'. Cannot convert the "***" value of type "System.String" to type "System.Security.SecureString".

Does it really have to be converted at all? Does this mean using Secrets is bad practise?

Update to clarify my question: I am able to pass secrets into powershell. I am not able to use secrets as credentials (only via ConvertTo-SecureString -AsPlainText -Force which is bad practise).

2
powershellsecuritytfs

2 Answers

1
votes

Secret variables in Azure DevOps pipeline are encrypted at rest with a 2048-bit RSA key. Secrets are available on the agent for tasks and scripts to use.

You used variable prefix secret that are reserved by the system, so you couldn't read it. Try to modify the variable name not use variable prefixes that are reserved by the system.

Check Variable characters:

User-defined variables can consist of letters, numbers, ., and _ characters. Don't use variable prefixes that are reserved by the system. These are: endpoint, input, secret, and securefile. Any variable that begins with one of these strings (regardless of capitalization) will not be available to your tasks and scripts.

Update:

Now I understand your issue better. From my test, even you defined the $password = '123' in your script, you still need -AsPlainText -Force. All variables defined in a script are treated as strings, there is no SecureString in pipeline. You may try creating a secure string from an encrypted string in a file: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.1#example-2--create-a-secure-string-from-an-encrypted-string-in-a-file.

0
votes

My personal takeaway is: TFS secrets are not optimal for credentials in powershell - which is a surprise, because I would expect secrets main purpose to be used for credentials.

The answer by Cece Dong - MSFT using a file instead is a solid alternative.